Anonymous is Dead: Long Live Anonymous

...and so is my adolescent love of the Guy Fawkes mask.

The recent arrest of 25 Anonymous-“affiliated” hackers by Interpol last week inspires a lot of thoughts on the nature of criminality and the future of cybercrime and cyberlawenforcement. (One such thought is that we need to come up with better terminology than just “cyberwar.” The term “war” is hard enough to understand in the 21st century context.)

The dynamic at play between hackers on the one side and governments (and their wealthy patrons) on the other is such that each has its own set of comparative advantages.

Criminals almost always have the upper hand in innovation. There’s more criminals than government officials paid to track criminals down. And the short-run, individual self-interests align in favor of criminals. If they succeed they (1) earn money/make a political point and (2) evade capture. If the criminal fails s/he goes to prison. On the other hand if a law enforcement official, even one acting solo, succeeds, s/he may not even get a raise. And public accolades, as is the case in organized crime, means s/he cannot continue his or her job and may, in fact, be placed at considerable risk. In some instances it’s actually better for the law enforcer to fail to enforce the law.

However, cute idioms aside, there really is no honor among thieves. Their career is entirely self-interested and competitive. The government fails to enforce contracts or protect property rights between them and the result is that such things are enforced through violence. And, violence begets violence. With the exception of organized crime, career criminals are forced into brutal, short, solitary lives, to wax Hobbesian. The lives of organized criminals are also Hobbesian, but the brutality rises up to the level of the firm, such that some element of trust and honor is allowed amongst members of the firm. Organized criminal networks also lower other transaction costs and are able to reap the benefits in the form of increased profits.

However, in both cases, in order to combat law enforcers, resources have to be directed away from profit-seeking and toward profit-protection. It’s an operating cost. Organized criminal networks are far better an marshalling resources toward profit protection because of the ability to differentiate and specialize tasks and reassign low-margin employees in one task to the profit-protection racket. Think of profit-protection falling on the staff side of the line/staff management split.

That’s the rough and ready of it. Now enter Anonymous.

Paul Collier has a nice essay on insurgents as criminals [PDF] But these criminals, unlike solely self-interested profit seekers are simultaneously fighting for ideological reasons as well as to create a new political environment where their past rebellion is not criminal (but future rebellions will be).

Unlike most criminal groups Anonymous is not “rebelling” in the traditional sense. Nor are they mere profit seekers. Their ideology is “democratic” in one sense, demanding transparency. But their power comes from their elite (1337) status as procurers or obscurers of knowledge. If the Anonymous community grew large enough, they would become permanent gatekeepers of all government and private corporate information.

However, their anarchist trends make them weak (and of course formalizing their structure would make them hypocritical).

What’s interesting about this arrest is that “Operation Unmask” was only launched a couple of weeks before the arrests were made. There are a couple of ways to look at this. On the one hand as the Anonymous collective rises in popularity and attracts a larger pool of hackers, they are bound to pull in less careful, less skilled hackers. They’re going to get caught,and potentially drag more skilled hackers along with them because of the connections they make in the darknet (and confessions pulled from actual in-person interrogations).

But I think what we’re seeing is the result of more governments putting more resources into cyber-investigations. The use of Interpol here is telling. I have not once sat through a lecture or presentation that mentions Interpol that doesn’t do so offhandedly, if not downright insultingly. I don’t want to go so far as to say that Interpol is a joke; it’s just that their constraints as law enforcers are far more noticeable than their strengths. However, cybercrime is the most fluidly transnational activity of all activities across all time. It’s an area that is tailor-made for Interpol to take a strong lead…and they have since the early 90s.

Two weeks to net over two dozen hackers. That’s amazing.

Another telling factoid that makes me think that this is more a result of government success than it is a result of Anonymous’ newly expanded network is the nature of their denial. According to James Bosworth who works on Latin American security issues writes

A local branch of Anonymous claims that the people arrested were infiltrated by police and informants, not caught by technological means.

Even if this were true, it’s meaningless, and it highlights the juvenile attitude of the Anonymous collective. What this kind of remark says is that Anonymous thinks of their activity as pure oneupsmanship, that success comes in the form of technological bragging rights. This is a holdover from the hacker community at-large which operates on a code-breaking meritocracy.

But governments aren’t competeting for digital laurels. Some of the wo/men behind the governments’ operations are almost certainly tallying up which hackers they make and break. They come from the same community, after all. But as an institution, the government has no such investment in hacking per se. They notch their belt when they get the conviction.

Besides, as all of us know who’ve stuck our nose just a little into studying cybercrime, a key weapon of the hacker is the social engineering side. This gets lost in the pure technological ease of swiping credit card numbers, but real hacks often require phone calls and conversations. They require showing up to office buildings and pretending to be a new hire to get access to a terminal, or going into banks to convince a teller to provide a critical last detail on an account.

Infiltrating the cyberunderworld is often of both worlds, the hacking meritocracy on one side, and social engineering, interactive psychology on the other. In once incident described in Misha Glenny’s Dark Market a cyber law enforcer and his team had successfully gained entrance to an online hackers community—the process of gaining entry including being vetted by moderators and other senior-level members of the community, no simple task. But a slip-up later nearly had them discovered. So the police used a bit of fine psychology to trip up their targets and create an intra-collective diversion that took attention away from their team while they pushed forward with their investigation and arrests.

What does these arrests mean for the future of government enforcement of cyberlaw in the international community? It’s hard to say. It does seem to indicate that the government is getting better at their side of the ledger, which almost certainly means that the cybercriminals will be rushing to tilt the balance back toward their side. It also means that cybercriminals will be shifting some of their resources away from profit-seeking and ideology-spreading and toward more complex evasive measures. It also should mean that the pool of low-quality hackers will be blocked, purged, or extracted from the hacker collective, which should make future refinements more efficient. In any case, this is the kind of event that can become a tipping point leading to a full-on cyber arms race.

PHOTO: I totally snagged that photo off the Washington Post slideshow on Anonymous.

Enhanced by Zemanta
Tags : , , , , , , ,